Add simple implementation of content-security-policy on scripts / styles

This needs a lot more hooks before it'll actually be a good implementation, but for a start it can help get some feedback on if this is the right way to go about it. Part of servo/servo#4577
2025-08-03 12:40:06 +01:00 · 2019-09-28 19:42:40 +00:00 · 2019-09-28 19:42:40 +00:00 · b8f3e8bb2e
commit b8f3e8bb2e
parent 6d488f1be2
16 changed files with 175 additions and 41 deletions
--- a/components/net_traits/request.rs
+++ b/components/net_traits/request.rs
@ -4,6 +4,7 @@

 use crate::ReferrerPolicy;
 use crate::ResourceTimingType;
+use content_security_policy::{self as csp, CspList};
 use http::HeaderMap;
 use hyper::Method;
 use msg::constellation_msg::PipelineId;
@ -20,37 +21,7 @@ pub enum Initiator {
 }

 /// A request [destination](https://fetch.spec.whatwg.org/#concept-request-destination)
-#[derive(Clone, Copy, Debug, Deserialize, MallocSizeOf, PartialEq, Serialize)]
-pub enum Destination {
-    None,
-    Audio,
-    Document,
-    Embed,
-    Font,
-    Image,
-    Manifest,
-    Object,
-    Report,
-    Script,
-    ServiceWorker,
-    SharedWorker,
-    Style,
-    Track,
-    Video,
-    Worker,
-    Xslt,
-}
-
-impl Destination {
-    /// https://fetch.spec.whatwg.org/#request-destination-script-like
-    #[inline]
-    pub fn is_script_like(&self) -> bool {
-        *self == Destination::Script ||
-            *self == Destination::ServiceWorker ||
-            *self == Destination::SharedWorker ||
-            *self == Destination::Worker
-    }
-}
+pub use csp::Destination;

 /// A request [origin](https://fetch.spec.whatwg.org/#concept-request-origin)
 #[derive(Clone, Debug, Deserialize, MallocSizeOf, PartialEq, Serialize)]
@ -175,6 +146,11 @@ pub struct RequestBuilder {
    pub pipeline_id: Option<PipelineId>,
    pub redirect_mode: RedirectMode,
    pub integrity_metadata: String,
+    // This is nominally a part of the client's global object.
+    // It is copied here to avoid having to reach across the thread
+    // boundary every time a redirect occurs.
+    #[ignore_malloc_size_of = "Defined in rust-content-security-policy"]
+    pub csp_list: Option<CspList>,
    // to keep track of redirects
    pub url_list: Vec<ServoUrl>,
    pub parser_metadata: ParserMetadata,
@ -206,6 +182,7 @@ impl RequestBuilder {
            url_list: vec![],
            parser_metadata: ParserMetadata::Default,
            initiator: Initiator::None,
+            csp_list: None,
        }
    }

@ -329,6 +306,7 @@ impl RequestBuilder {
        request.url_list = url_list;
        request.integrity_metadata = self.integrity_metadata;
        request.parser_metadata = self.parser_metadata;
+        request.csp_list = self.csp_list;
        request
    }
 }
@ -396,6 +374,11 @@ pub struct Request {
    pub response_tainting: ResponseTainting,
    /// <https://fetch.spec.whatwg.org/#concept-request-parser-metadata>
    pub parser_metadata: ParserMetadata,
+    // This is nominally a part of the client's global object.
+    // It is copied here to avoid having to reach across the thread
+    // boundary every time a redirect occurs.
+    #[ignore_malloc_size_of = "Defined in rust-content-security-policy"]
+    pub csp_list: Option<CspList>,
 }

 impl Request {
@ -428,6 +411,7 @@ impl Request {
            parser_metadata: ParserMetadata::Default,
            redirect_count: 0,
            response_tainting: ResponseTainting::Basic,
+            csp_list: None,
        }
    }